Table_of_Contents
1.4 Enable NextCloud Public Internet Access
1.6 Configure Email
1.8 NextCloud Client Applications
2.1 NextCloud Talk
2.1.1 Turn Server
2.1.2 Make a Test Call
2.1.3 NextCloud Talk Clients
2.2 Other NextCloud Applications
List of Figures
Figure 1: NextCloud Configuration
Figure 2: NextCloud Login
Figure 3: NextCloud Start Page
Figure 4: Nextcloud Virtual Domain
Figure 5: NextCloud Talk Session
The importance of protecting YOUR information and communications from third parties (including cloud providers) and limiting access to those you trust cannot be overstated. This means self-hosted file share / sync and communications services. This makes your information inaccessible to for example border snoops, examining your devices, casing your joint. Disable access (VPN, logout, etc) on your client devices prior to crossing borders. Re-enable access once across the border. The premium application for this is NextCloud (! Follow link).
Nextcloud Talk (secure multi-party videoconference, chat and screen sharing application) is a very useful application for group collaboration.
This documentation is primarily concerned with basic NextCloud installation on SecureOffice. Given the large number of applications and usage scenarios, it is impractical to document it all. There is a wealth of NextCloud documentation, HowTo's on the internet for fine tuning your installation.
Once NextCloud is installed and configured for SecureOffice, it is a standard installation and, all nextcloud documentation regarding adding features, configuration and usage may be used.
NextCloud and some dependencies are custom packages, requiring a subscription to the SecureOffice custom package repository for installation. A valid license for the Docker premium package is also required. Instructions for docker installation.
During installation, docker-nextcloud automatically adapts to your network configuration. This includes nextcloud and Nginx (web server) configuration. The following network configuration must be complete prior to installing docker-nextcloud, otherwise, Nextcloud docker and Nginx configuration must be altered to accommodate:
The NextCloud docker image requires database support. The image, by default (no configuration) internally uses mysql, which has poor performance. The default SecureOffice configuration of NextCloud uses the postgresql database, which is automatically installed and configured as a dependency of docker-nextcloud.
To install NextCloud, at a command prompt, enter:"opkg update; opkg install docker-nextcloud".
The default docker configuration file "/etc/config/docker/nextcloud" is shown below. It must be altered for your environment before first NextCloud run, otherwise, the container must be fully removed and re-installed to change the configuration. This is because the included environment variables are only used during first run of the image to create internal configuration. Additional environment variables (such as optional email settings) take effect at each run.
Further information regarding NextCloud image configuration / usage can be found in the nextcloud configuration guide.
# Reference: https://docs.docker.com/engine/reference/commandline/run/
# or: docker run --help
# Images ('option image') are from from https://hub.docker.com
# 'option xxxx' are single options, cannot be repeated
# 'list xxxx' are options that can be repeated multiple times
# Cannot have spaces in list parameters, replace with ',', replaced with ' ' by init script
# Multiple container sections supported
config container 'nextcloud' # Arbitrary container name
option enable '0' # '0' or '1'
option image 'nextcloud :20.0.4-apache' # From docker hub
option hostname 'nextcloud' # DNS name for host (ping hostname)
option run_cmd '' # Command for image to run at startup
option run_cmd_args '' # Arguments for image startup command
list ports "8080:80" # Port mapping (-p <host port>:<container port>)
list links '' # Other images to link (--link <other image name>)
# Environment variables for image (-e <VAR=VALUE)
# These variables are only used for initial image install
# To change them (a) remove container, start fresh or
# (b) alter /home/data/docker_data/nextcloud/config/config.php (mapped nextcloud directory)
list env 'POSTGRES_PASSWORD=postgres'
list env 'POSTGRES_USER=postgres'
list env 'POSTGRES_DB=nextcloud'
list env 'POSTGRES_HOST=<your_lan_address>'
list env 'NEXTCLOUD_ADMIN_USER=admin'
list env 'NEXTCLOUD_ADMIN_PASSWORD=admin_54321'
list env 'NEXTCLOUD_TRUSTED_DOMAINS="<your_lan_base_address>.*,nextcloud.<your domain_name>"'
# Quote TRUSTED_PROXIES with '|', since double '""' quotes mess up
list env 'TRUSTED_PROXIES=|<your_lan_base_address>/24,nextcloud.<your domain_name>|'
# End install variables
# Directory mapping (-v <host directory>:<container directory>)
list volume '/home/data/docker_data/nextcloud:/var/www/html'
list parms '' # Extra parameters, verbatim as expected by 'docker run'
option log_stderr '0' # Log container stderr to syslog
option log_stdout '0' # Log container stdout to syslog
Figure 1: NextCloud Configuration
Using the nano editor ("nano /etc/config/docker/nextcloud"), alter the following values, then save the file:
Note that NextCloud internal persistent configuration files ("/home/data/docker_data/nextcloud/*") are available (file browser from device on SecureOffice LAN) at "\\<SecureOffice LAN address>/Dockers/nextcloud".
Enable and start the docker daemon: At a command prompt, enter: "/etc/init.d/dockerd enable; /etc/init.d/dockerd start; /etc/init.d/docker/enable; /etc/init.d/docker start".
At first run, it will take some time for docker to download and configure the NextCloud container. Assuming the log_std* configuration values were set to '1', progress can be viewed (console) by entering "logread -f | grep docker". A successful run will contain: "Command line: apache2 -D FOREGROUND", else some error message which must be debugged before proceeding. Enter CTRL+c (together) to exit logread. Enter "ping nextcloud" to confirm the container is communicating.
At this point, NextCloud can only be accessed from your local LAN at addresses: "http://<LAN address>:8080" or "http://nextcloud" (no https for either) or from the OpenWrt menu at "Services->Nextcloud". Using a browser from a PC on your LAN, enter one of the previous addresses. After a long wait (for initial NextCloud download / install) you should see the NextCloud login page, below:
Figure 2: NextCloud Login
Login to NextCloud with the username and password configured above. Scroll through or dismiss ("X" in top right-hand corner) the introduction. You should see the NextCloud start page, below:
Figure 3: NextCloud Start Page
If satisfied with private NextCloud access from local LAN only (perhaps over VPN), skip the following public access section and proceed to personalize nextcloud.
At installation, NextCloud is automatically configured for private (clients on local LAN only) network access as a Nginx virtual host by Nginx configuration file "/etc/nginx/vhosts/nextcloud.conf" installed as part of the docker-nextcloud package. If intending to use the NextCloud Talk application (secure videoconferencing, screen sharing and chat), public internet access is required for users to participate in conference calls unless all clients connect to your server from the local LAN or using VPN.
There are serious security considerations for public internet access, strong passwords at a minimum. It is far more secure to remotely access NextCloud from local LAN using SecureOffice VPN Server which allows remote access clients to appear as local clients. Public internet access is required for remote clients (noy on local LAN or connected via VPN).
The general approach (and pre-requisites) for serving a site at a dedicated domain is in the Nginx HowTo documentation.
Assuming the prerequisites such as domain, DNS, SSL certificates were met prior to docker-nextcloud installation, the configuration values "<your LAN address>" and "<your domain name>" were automatically set by Nextcloud installation.
To enable public NextCloud access, comment (insert "#") or delete the "allow" and "deny" lines in the "/etc/nginx/vhosts/nextcloud.conf" configuration file, shown below:
Nextcloud will be publicly accessible at "https://nextcloud.<your domain>". Be aware there are security implications for NextCloud public access. Use strong, hard to guess passwords for clients. Check the nextcloud security documentation for possible precautions, many of which are already done.
server {
listen 443;
listen [::]:443;
server_name nextcloud.<your domain name>;
add_header X-Frame-Options "ALLOW-FROM https://<your LAN address>/ https://$server_name/";
add_header Content-Security-Policy "frame-ancestors 'self' https://<your LAN address> https://$server_name/";
location / {
# Comment "#" following lines to allow internet access
# Otherwise, nextcloud only accessible from local LAN
allow 192.168.0.0/16;
allow 172.16.0.0/12;
allow 10.0.0.0/8;
allow 127.0.0.0/8;
deny all;
# End lines to comment
# Set all cookies to secure, httponly and samesite (strict,lax or none)
# Need Nginx 1.19.3+ for proxy_cookie_flags
proxy_cookie_flags ~ secure httponly samesite=none;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_pass http://<your LAN address>:8080;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Figure 4: Nextcloud Virtual Domain
Note: NextCloud is http only and Nginx is converting http to https and the converse.
Restart nginx: "/etc/init.d/nginx restart; rm -rf /var/luci-*" at a command prompt for the changes to take effect.
Enter "https://nextcloud.<yourdomain without https>" in a web browser. If all is well, you will see the NextCloud login page (Figure 2). Login and, you should see Figure 3.
If all is not well, enable NextCloud logging "log_std* '1'", restart nextcloud ("/etc/init.d/docker stop; /etc/init.d/docker start"), enter "logread -f | grep docker" (to watch for error messages) and try to access NextCloud again. Enter CTRL+c (together) to exit logread. Fix any errors before proceeding.
After logging into NextCloud, click on "Set Location For Weather". Choose autodetect or enter your address.
Click on the user icon (top right of page, should be first letters of your user name), select settings. Set the following values (all optional):
Nextcloud can send password reset emails, notify users of new file shares, changes in files, and activity notifications. Users configure which notifications they want to receive on their personal pages.
NextCloud connects to your existing mail server. You must have an active mail server for NextCloud to be able to send emails. The mail server may be on the same machine as NextCloud, or it may be a remote server (such as google mail).
If you want newly added users to receive a welcome email with further instructions, configure email before adding any users.
From the NextCloud main page, click the user icon (top right of page, should be first letters of your user name), select "Basic Settings", follow the NextCloud email configuration guide to setup and test email functionality.
Click on the user icon (top right of page, should be first letters of your user name), select "Users".
If the user is not an administrator (limited access), create a "User" group. Click on "Add Group" and enter a group name, click on the arrow to add the group.
Click on "New User" (top left of page). Enter the following values:
Newly added users will receive a welcome email with further instructions for setting up their profile.
If NextCloud is to be used for collaboration on projects, create a group for each project and add project users for each project.
In addition to browser access, NextCloud provides Clients for desktop (Windows, macOS, Linux) and mobile devices (Android, iOS). It is not recommended (performance) to access NextCloud using mobile browsers. Choose clients of interest and install them on your devices.
NextCloud client applications allow file sync between your NextCloud server and client devices, plus provide notifications of events such as new files, incoming call invites and messaging mentions.
Files can be shared and synced (between devices) publicly (everyone), with group members or individual members or private (not shared). Consult the NextCloud file sharing documentation.
It is useful to synchronize photos / videos from mobile devices to NextCloud to handle events such as police seizing camera footage in futile attempts to suppress / spin acts of public protest, etc.
File sync from mobile devices also means that you do not lose your data if your device is lost, stolen or breaks.
NextCloud Talk (watch the demo video) is a totally secure, self-hosted (no third-party servers snooping on your communications) multi-party video conferencing, screen sharing and chat application equivalent to Google Meet.
To install NextCloud Talk, from the main NextCloud page, select your user icon (top right), select "Apps", scroll down to "Talk", select "Download and Enable". After the Talk icon changes to "Disable", return to the main page.
An example NextCloud Talk session is shown below (bad hair day):
Figure 5:NextCloud Talk Session
If NextCloud has been configured for public internet access (Nginx), a Turn Server is required to allow media streams to traverse firewalls. SecureOffice provides Coturn, a combination Stun / Turn server for firewall traversal. If all clients are connected via SecureOffice VPN (all clients on local LAN), no Turn server is required.
To install Coturn, enter "opkg install coturn". Coturn is automatically configured during install.
NextCloud Talk must be configured to use coturn. From the NextCloud main page, click on your user icon (top right), select "Settings". On the left, scroll down to and select "Talk".
Scroll down to "Stun Servers". Enter "<your domain name without www>:3478". Example: "example.com:3478"
Scroll down to "Turn Servers", select "+" to add a server. Enter "<your domain name>:3478" in the server field. Example: "example.com:3478"
Using a SSH session to SecureOffice, enter "cat /etc/turnserver.conf | grep static-auth-secret=". Copy the value (example: "d9d85894ff0724b00f021c7ea717b2feba7bde3f359ce9dc490bb00001e550cc") and paste it into the NextCloud Turn Server "secret" field. The "static-auth-secret" value was randomly created at coturn install and is part of the NextCloud / coturn authentication mechanism.
The Turn server listening port (example: 3478, tcp, udp) must be opened on the SecureOffice firewall.
To verify firewall traversal, three PC's (you and two friends at separate internet addresses with email addresses) are required. Each PC must have configured camera, audio input and output devices.
Optional: Add your two friends as users.
From the NextCloud main page, select "Talk" ("Q" icon).
NextCloud does not provide a desktop talk client. Instead, the NextCloud desktop client provides notifications of NextCloud events such as incoming talk call and mentions in messages. Selecting the event notification opens your browser to the webpage containing the event of interest.
NextCloud clients (including Talk) are available for Android and iOS. Due to mobile browser performance limitations, it is important to use mobile clients for NextCloud Talk.
NextCloud has many other applications such as phone / device trackers, collaboration apps, contact managers, schedule managers, email, password and bookmark managers, etc. A full list is available here.
Due to shared files, the amount of NextCloud data can become quite large, beyond the ability of OpenWrt (web GUI) backup to handle. SecureOffice provides an alternate automatic mechanism for backing up large amounts of data. This is essentially a cron job performing a periodic backup integrated with the normal backup process. Details are documented in Backup / Restore Large Amounts of Data.
|
Technologies Used: